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(54) Secure data processing nnethod and system 

(57) The present invention relates to a secure data 
processing method and system which includes a central 
processing unit, an operating system (10) and a file sys- 
tem. 

The file system includes data which consists of pro- 
tected file entries included within directories of file en- 
tries. Each directory is made secure by having an asso- 
ciated digital directory signature stored with the directo- 
ry. At least some of the file entries are also protected by 
an associated digital signature. The data processing 
system has means to perform a checking algorithm 
which calculates authentic signatures. Access to the da- 
ta stored in the file system is only allowed if the authentic 
signature calculated by the system matches the signa- 
ture of the directory being accessed. Access to a file 
entry in the directory is allowed rf the calculated signa- 
ture for the file entry matches the signature stored with 
the file entry. 

Each file entry signature is stored as an encrypted 
signature In association with a pointer to a key which is 
used to decrypt the signature. 
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Description 

The present invention relates to a secure data 
processing method and system and is of particular ap- 
plication to a financial terminal. 

A data processing system commonly has a central 
processing unit, an operating system and a file system, 
usually including a hard disk, for files to be accessed by 
the central processor unit under the control of the oper- 
ating system. All such computer systems rely on the 
software that, ultimately, controls the functions offered 
to the user. 

Software can be tampered with to allow an attacker 
to compromise the data processing system. Protection 
cannot be achieved by simply restricting the files that 
can be executed, or by encrypting the files on the hard 
disk. This is because the compromise may occur un- 
known to a legitimate user, or could be a deliberate 
fraud. 

^ It would be desirable-to restrict access for updating 
y flies andio detect invalid changes in real time to prevent 
'y^ s ystem compromise be fore damage can oc^\^r 

It is therefore an object of the present inventk>n to 
provide a method and a system for restricting access to 
files in a data processing system which can operate in 
real time. 

According to the present invention there is provided 
a method of accessing data in a file system of a data 
processing system which also includes a programmable 
central processor unit, and an operating system, the da- 
ta of the file system having a digital signature Identifying 
the data, the method comprising the steps of performing 
a checking algorithm to calculate an authentic digital sig- 
nature for the data, reading the identifying digital signa- 
ture from the file system, comparing the authentic digital 
signature of the data with the digital signature read from 
the file system and accessing the file data in response 
to a match between the authentic digital signature and 
the digital signature read from the file system. 

Further according to the present inventk>n there is 
provided a data processing system comprising a pro- 
grammable central processing unit, an operating sys- 
tem, and a file system for data which has a digital sig- 
nature to identify the data, the file system being provided 
with a file system driver including means to perform a 
checking algorithm to generate an authentic digital sig- 
nature,, means to read the identifying digital signature 
from the file system and means to altow access to the 
data only in response to a match between the authentic 
signature of the data and the identifying signature. 

The invent bn will now be described, by way of ex- 
ample, with reference to the accompanying drawings in 
which: 

Figure 1 is a diagramnnatic representation of a file 
system included in a data processing system ac- 
cording to the present invention and 



Figures 2 and 3 are operating flow diagrams relating 
to the operation of the file system of Figure 1 . 

Referring first to Figure 1 , there is shown diagram- 

s maticalty a file system incorporated into a data process- 
ing system which includes a central processor unit, not 
shown, and an operating system 10 which runs applica- 
tions 11. The file system has a file system driver 12 
which is a part of the operating system 1 0. The driver 

10 1 2 is responsible for managing all the read and write 
operations to a disk drive 14 which includes a physical 
storage disk 1 5 on which the files are physically record- 
ed. The file system driver includes a number of functions 
which are represented diagramnnatically by the bkx;k 

IS 1 3. The functions Included within the file system driver 
include an interface to the disk drive 1 4, a disk manager, 
a physical interface and cryptographic support. 

The file system is incorporated into a secure termi- 
nal in which it is not possible to make unauthorised mod- 

20 ificattons to the operating system to renrx)ve the file sys- 
tem driver 12. The files in the file system are structured 
in a fash ion similar to other file systems in that they have 
a root directory which is the top of a tree structure which 
contains other directories. Each directory, including the 

25 root directory can contain files. 

Each directory has a directory name and a directory 
signature. One of the directories on the physical disk 1 5 
is shown schematically In Figure 1 as a convenient ref- 
erence to the contents of the directory. The schematic 

30 diagram in Figure 1 does not represent the physical 
character of the directory as will be well understood by 
those skilled in the art. Each directory may have a 
number of file entries from entry 1 to entry N. Each file 
entry has stored attributes including an attribute which 

3S is additional to those which are found on conventional 
file systems. The additbnal attribute is used to specify 
whether the file entry is protected or not. 

If a file entry is not protected, then no further infor- 
nnatbn respecting that file entry is stored on the disk 15. 

^ Jf , however, the file entry is protected J ttig n a digital sig- 
nature identifying the file entry is stored toaethec-W ith a 
po inter which links to a publk; key in a public key direc- 
tory 16 stored_on the disk 15. The public key directory 
1 6 has a flat structure because the same public key may 

45 be used for file entries in more than one directory. The 
public keys are used to authenticate the file entries as 
will be explained. 

Referring now to Figure 2, an instruction 17 to check 
a directory resutts in step 18 being performed to read 

so the directory name and the directory signature. All the 
directories are protected using a symmetric key check- 
ing algorithm such as MAC in the case of the DES algo- 
rithm. This prevents an unauthorised agency from 
changing the directory contents either by using a soft- 

55 ware driver or by removing the disk 1 5 to another kxa- 
tion and altering it. The symmetric key must not be 
stored on the disk 1 5 but is kept in a secure location not 
accessible to the applications running on the system or 
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to outside agencies. This key is randomly generated by 
the file system driver when it is installed. 

After having performed the step 18, the correct au- 
thentic signature of the directory to be addressed is cal- 
culated by the file system in step 1 9 using the checking 
algorithm. The calculated authentic signature is com- 
pared with the recorded directory signature in step 20 
and if the signatures match in step 21 , the result is to 
return an indication that the directory is an authentic di- 
rectory. If not, an error is retumed, 

n order to access a file an instruction at step 22 
results in traversing the path through which the directory 
including the file is authenticated in step 23. The file at- 
tributes of the file entry are read in step 24 and a deter- 
mination is made in step 25 whether the file is signed or 
not. If the file is not signed, an indication is retumed to 
allow access to the file entry. If, however, the file is 
signed, the signature and the public key in the directory 
16 are both read in step 26. The signature of the file 
entry is decrypted in step 27 and the authentic digital 
signature for the file entry is calculated in step 28 by 
means of the cryptograph k: support included within the 
functions of the file system driver 12 using an asymmet- 
ric key algorithm. A comparison is performed in step 29 
to determine whether the authentic signature matches 
the decrypted signature. If so an indk:ation is returned 
to allow access to the file entry. If not an error indication 
is returned. 

It will be seen that when a protected file is opened 
by an applk^atbn, it will be checked for integrity using 
the digital signature recorded w ith fha file and the a^ Rg- 
ciated public key ass i gned to that file . These_protected , 
files cannot be written to in the normal fashion or they 
will fail their integrity chec k. The file system will prohit;iit 
\wDting to the file. 

A protected file can be exchanged for an equivalent 
protected file by supplying a new signed file, using the 
same pubib key, or by supplying an exchange message 
signed with the secret key partner of the existing public 
key and containing the new public key for the file. 

Protected files can be deleted by supplying the se- 
cure file system with a deletion message which has 
been signed by the secret key partner of the public key 
supplied with the file to be deleted. 

The file system is protected by a password mecha- 
nism, as will be described with reference to Figure 3, 
and the file system cannot be reformatted unless the 
password is supplied. The password is stored on the 
disk volume in an encrypted fashion using the symmet- 
ric key specified earlier. 

In Figure 3, a create secure file instruction 30 is fol- 
lowed by the step of creating a directory entry in step 
31. The supplied signature for the file is stored in step 
32 and a detenminatbn is made in step 33 whether there 
is a new public key to be stored. If yes, a password for 
t he public key list isjjot in step 34 and the password is 
checked in^step 35. If not correct^ an error return js 
made. If the password is correct, the public key which 
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hflshefth c^ijppliAH iQ Qtr>rm±Jn I ^tq put^lin key |igt and a 

key link for the file entry is stored in step 37, 

if a new public key was not to be stored, the step 
33 leads directly to the step 37. From the step 37, the 
data is written to the disk in step 38 and a successful 
indication is then returned. 

Updates to the public key directory can either be 
accomplished automatically, when a new file is being 
added, or manually. In either case a password has to be | 
entered to allow access to the directory. The password 
is not required when a file is being exchanged. The file 
system can be configured to allow only manual updates 
to the publk: key directory. In this case, when a new file 
is added, the system scans the directory for a pubic key 
matching that supplied with the file and adds the pointer 
reference. 

It will be apparent that a secure file system has been 
described which can protect directories and files from 
unauthorised changes. Some of the files may have no 
security requirements and be merely data files with no 
security implicafions. The protected files may be exe- 
cuted as programs or be loaded as dynamk: link librar- 
ies. 



Claims 

1. A method of accessing data in a file system of a 
data processing system which includes a program- 
mable central processor unit, and an operating sys- 
tem, the data of the file system having a digital sig- 
nature identifying the data, characterised by the 
steps of performing a checking algorithm to calcu- 
late (1 9) an authentic signature for the data, reading 
the identifying signature from the file system, com- 
paring (20) the authentic digital signature of the data 
with the digital signature read from the file system, 
and accessing the file data in response to a match 
between the authentic digital signature and the dig- 
ital signature read from the file system. 

2. A method as claimed in claim 1 , wherein the data 
comprises a directory of file entries having a digital 
signature identifying the directory. 

3. A method as claimed in claim 1, wherein the data 
comprises one or nrK>re file entries within a directory 
of file entries, one or more of the file entries having 
an associated identifying digital signature. 

4. A method as claimed in claim 3, wherein the direc- 
tory has a digital signature identifying the directory. 

5. A method as claimed in claim 3 or 4, wherein the 
file entries are each associated with an attribute in- 
dicating that the file entry is protected by an encrypt- 
ed digital signature and are each associated with a 
key, the method comprising reading (20) the signa- 
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ture for a file entry and decrypting (27) the signature 
by means of the associated key. 

A data processing system comprising a program- 
mable central processing unit, an operating system s 
(10), and a file system for data which has a digital 
signature to Identify the data, the file system being 
provided with a file system driver (12) including 
means to perform a checking algorithm to generate 
an authentic digital signature, means to read the io 
identifying digital signature from the file system and 
means to allow access to the data only in response 
to a match between the authentb signature of the 
data and the identifying signature. 



7. A system as claimed in claim 6, wherein the file sys- 
tem is adapted to store the data in the form of a di- 
rectory of file entries which has a digital signature 
identifying the directory. 
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8. A system as claimed in claim 6, wherein the file sys- 
tem Is adapted to store the data in the form of file 
entries In a directory of file entries, one or more of 
the file entries having an associated digital signa- 
ture. 25 

9. A system as claimed In claim 8, wherein the file sys- 
tem is adapted to store a digital signature kjentifying 
the directory of file entries. 

30 

1 0. A system as claimed In claim 8 or 9. wherein the file 
system is adapted to store each of the file entries 
in associatbn with an attribute to indicate whether 
the file entry is protected by an encrypted digital sig- 
natu re and in association with a key, the file system 3S 
having means to decrypt each encrypted key using 
the associated key. 
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